WO 2004/046974 



- 34 - 
CLAIMS 



PCT/FR2003/003309 



1. A method for analyzing the security of an 
information system comprising: 

5 - a modeling phase (1, 2), comprising the 

modeling of the information system, 

a simulation phase, comprising the 

specification (3) and the simulation (4) of potential 
attacks against the information system. 

10 

2. The method as claimed in claim 1, according to 
which the modeling phase comprises the specification 
(1) of the architecture of the system with a set of 
components of the system and relations between said 

15 components. 

3. The method as claimed in claim 2, according to 
which, a name being associated with each component, one 
or more adjectives may also be associated with said 

20 component, which adjectives make it possible to 
designate . said component without naming it. 

4. The method as claimed in claim 2 or claim 3, 
according to which determined states are associated 

25 with each component of the information system, each 
state being able to take a sound value and one or more 
unsound values. 

5. The method as claimed in claim 4, according to 
30 which certain at least of said states pertain 

respectively to the activity, the confidentiality , the 
integrity and/or the availability of the component with 
which they are associated. 

35 6. The method as claimed in any one of claims 2 to 5, 
according to which an alleged name may be associated 
with any determined component, in particular in the 
case where said determined component is a usurper. 
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7. The method as claimed in any one of claims 2 to 6, 
according to which a link to another component may be 
associated with any determined component, in particular 

5 in the case where said determined component is usurped 
and where said other component is a usurper. 

8. The method as claimed in any one of claims 2 to 7, 
according to which the relations between any two 

10 determined components comprise bidirectional 

propagation relations able to convey attacks in both 
directions . 

9. The method as claimed in any one of claims 2 to 8, 
15 according to which the relations between any two 

determined components comprise service relations making 
it possible to designate a component on the basis of 
another component . 

20 10. The method as claimed in claim 2, according to 
which the modeling phase furthermore comprises the 
specification (2) of a set of behavioral rules 
associated with the components of the system. 

25 11. The method as claimed in claim 10, according to 
which each behavioral rule comprises one or more 
predicates, and/or one or more actions. 

12. The method as claimed in claim 10 or claim 11, 
30 according to which the behavioral rules comprise rules 

for propagating attacks, these rules being for example 
implemented in components which are vectors of attacks, 
and rules for absorbing attacks, these rules being for 
example implemented in components which are the target 
35 of attacks . 

13. The method as claimed in any one of claims 10 to 
12, according to which the behavioral rules comprise 
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binary rules, for example Boolean logic conditions 
giving a value of type yes/no, and/or functional rules, 
for example logic conditions involving a routing action 
(for a propagation rule) or contagion action (for an 
5 absorption rule) . 

14. The method as claimed in any one of claims 2 to 13 
comprising, at the end of the modeling phase (Figure 
3), the construction (35) of a local routing table, 

10 making it possible to direct an attack from a start 
component to a finish component. 

15. The method as claimed in claim 14, according to 
which the local routing table is generated 

15 automatically according to the principle of the 
shortest path between the start component and the 
finish component. 

16. The method as claimed in any one of' claims 3 to 
20 15, according to which the attacks simulation step 

comprises the updating of the state of a component of 
the system altered by a successful attack. 

17. The method as claimed in claim 16, according to 
25 which the simulation phase furthermore comprises the 

building of a file or journal of the attacks, 
containing the log of the changes of the state of the 
components consequent upon successful attacks, in 
particular to allow subsequent processing by a user. 

30 

18. The method as 
claims, according 
elementary attacks 
values . 

35 

19. The method as claimed in any one of the preceding 
claims, according to which the attacks furthermore 
comprise a special usurping attack. 



claimed in any one of the preceding 
to which the attacks comprise 
corresponding to unsound state 



WO 2004/046974 



- 37 - 



PCT/FR2003/003309 



20. The method as claimed in any one of the preceding 
claims, according to which an attack is defined, in 
particular, by a type of attack, a type of protocol, 

5 and attack path elements. 

21. The method as claimed in claim 20, according to 
which the attack path elements comprise a start 
component, a finish component, a target component, and 

10 as appropriate one or more intermediate components. 

22. The method as claimed in claim 20 or claim 21, 
according to which the list of components already 
traversed by an attack is saved in at least one or more 

15 upstream stacks. 

23. The method as claimed in claim 22, according to 
which the upstream stacks comprise a stack (110) 
containing the exhaustive list of all the components 

20 traversed, designated by their real name. 

24. The method as claimed in claim 22 or claim 23, 
according to which the upstream stacks comprise a stack 
(120) containing the list of only those components 

25 traversed which are opaque, designated by their real 
name or, as appropriate, by their alleged name. 

25. The method as claimed in any one of claims 20 to 

24, according to which the list of destination 
30 components of an attack is saved in at least one 

downstream stack (130). 

26. The method as claimed in any one of claims 10 to 

25, according to which the attacks are defined in a 
35 language using the same words as a language in which 

the behavioral rules are defined. 

27. The method as claimed in any one of the preceding 
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claims, according to which the modeling phase and/or 
the simulation phase are implemented by a user by means 
of a man/machine interface comprising a multiview 
functionality, according to which a graphical 
5 representation of the system is presented to the user 
as several views. 

28. The method as claimed in claim 27, according to 
which each view represents a subsystem of the system, 

10 which is relatively autonomous and independent of the 
remainder of the system. 

29. The method as claimed in claim 27 or claim 28, 
according to which the function of interconnection 

15 between the components included in two distinct views 
is ensured only via the common component or the common 
components shared by the two views. 

30. The method as claimed in any one of claims 27 to 
20 29, according to which the behavioral rules for the 

components belonging . to a view do not call by name upon 
components belonging to another view. 

31. The method as claimed in any one of claims 27 to 
25 30, according to which the views are associated with 

respective subsystems, for example of like level, which 
are interconnected together via at least one common 
component . 

30 32. The method as claimed in any one of claims 27 to 
30, according to which a higher view is associated with 
the system as a whole, whereas one or more lower views 
are respectively associated with a determined subsystem 
of the system. 

35 

33. The method as claimed in claim 32, according to 
which a determined component, common to the higher view 
and to a determined lower view, represents the 
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corresponding subsystem viewed from the system as a 
whole, and vice versa. 

34. The method as claimed in claim 33, according to 
5 which said common component is the sole interface 

between the higher view and said determined lower view. 

35. The method as claimed in any one of the preceding 
claims, according to which the modeling phase 

10 furthermore comprises the specification of one or more 
basic metrics associated respectively with the 
components . 

36. The method as claimed in claim 35, according to 
15 which the basic metrics comprise, a metric of 

effectiveness of parries, a metric of effectiveness of 
detection of attacks, and/or a metric of the means of 
an attacker . 

20 37. The method as claimed in any one of the preceding 
claims, according to which the simulation phase 
comprises the calculation of one or more metrics of 
probability of mishap. 

25 38. The method as claimed in claim 37,. according to 
which the metrics of probability of mishap comprise a 
metric of probability of passage of an attack on a 
component . 

30 39. The method as claimed in claims 36 and 38, 
according to which the metric of probability of passage 
of an attack on a component is calculated according to 
the formula "'probability of passage = (means of the 
attacker )/ (effectiveness of the protection)". 

35 

40. The method as claimed in claim 37, according to 
which the metrics of probability of mishap comprise a 
metric of probability of nondetection of an attack on a 



WO 2004/046974 

component . 



- 40 - 



PCT/FR2003/003309 



41. The method as claimed in claims 36 and 40, 
according to which the metric of probability of 

5 nondetection of an attack on a component is calculated 
according to the formula "probability of nondetection = 
(means of the attacker) / (effectiveness of the 
detection) " . 

42. A device for the implementation of the method as 
claimed in any one of the preceding claims, comprising 
a man/machine interface (15) for the implementation of 
the modeling phase and/or an attacks/parries engine 
(16) for the implementation of the simulation phase. 

43. The device as claimed in claim 42, in which the 
man/machine interface exhibits a functionality of 
multiview display of the system modeled. 

20 44. The device as claimed in claim 42 or claim 43, in 

which the man/machine interface makes it possible to 

display the system modeled according to a 
components/relations model . 



10 



15 



